VPN Questions - 3005 to ASA5510

We are moving from a 3005 concentrator to an ASA5510 and I have a couple of questions.

In the 3005 you can disable and enable VPN tunnels rather easy. You go into the policy and check or uncheck the enable box. What is the method to temporarily disable a tunnel on the ASA? Through the ASDM preferably, for ease of management.

Also, I want my remote access sessions to timeout after 8 hours. It shows in the tunnel policy in the ASDM that it is set for 8 (28800) hours but I don't see this value in the config at all. I do see a value of 86400 for the isakmp policy though. If it's set in the ASDM as 8 hours why doesn't it show up in the config? Which takes precedence on the timeout, the tunnel policy or the isakmp policy?

For your remote access users vpn session max connection time can be specified in in tunnel group policy attributes. In ASDM go to your tunnel group>general expand more obtions and uncheck maximun connect time there you can specify minutes the vpn session will terminate when it reaches the specified time in minutes.

example to specify 90 minutes you can also do it through cli, note this is not a time out this will drop the session in 90 minutes for all members of the tunnel group.

as for disabling enabling L2L vpn sessions there is no disable/enable option like in vpn concentrators, I know that is a nice feature in concentrator but I have not seen a feature in ASA like that or Im not aware of one yet.

Replies

For your remote access users vpn session max connection time can be specified in in tunnel group policy attributes. In ASDM go to your tunnel group>general expand more obtions and uncheck maximun connect time there you can specify minutes the vpn session will terminate when it reaches the specified time in minutes.

example to specify 90 minutes you can also do it through cli, note this is not a time out this will drop the session in 90 minutes for all members of the tunnel group.

as for disabling enabling L2L vpn sessions there is no disable/enable option like in vpn concentrators, I know that is a nice feature in concentrator but I have not seen a feature in ASA like that or Im not aware of one yet.

As far as the disabling the l2l vpn tunnel without deleting the complete configuration I would probably change the secret key to something else on that particular tunnel. The Ipsec Phase-1 will not complete and the tunnel will never come up, until you can put the right secret key back again through ASDM or cli.